libcli/auth: rewrite schannel sign/seal code to be more generic
[ira/wip.git] / source4 / auth / gensec / schannel.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    dcerpc schannel operations
5
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "auth/gensec/schannel_state.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "param/param.h"
33 #include "auth/session_proto.h"
34
35 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
36 {
37         return 32;
38 }
39
40 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
41                                             DATA_BLOB *session_key)
42 {
43         return NT_STATUS_NOT_IMPLEMENTED;
44 }
45
46 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
47                                        const DATA_BLOB in, DATA_BLOB *out)
48 {
49         struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
50         NTSTATUS status;
51         enum ndr_err_code ndr_err;
52         struct NL_AUTH_MESSAGE bind_schannel;
53         struct NL_AUTH_MESSAGE bind_schannel_ack;
54         struct netlogon_creds_CredentialState *creds;
55         struct ldb_context *schannel_ldb;
56         const char *workstation;
57         const char *domain;
58         uint32_t required_flags;
59
60         *out = data_blob(NULL, 0);
61
62         switch (gensec_security->gensec_role) {
63         case GENSEC_CLIENT:
64                 if (state->state != SCHANNEL_STATE_START) {
65                         /* we could parse the bind ack, but we don't know what it is yet */
66                         return NT_STATUS_OK;
67                 }
68
69                 state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials));
70
71                 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
72 #if 0
73                 /* to support this we'd need to have access to the full domain name */
74                 /* 0x17, 23 */
75                 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
76                                       NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
77                                       NL_FLAG_UTF8_DNS_DOMAIN_NAME |
78                                       NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
79                 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
80                 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
81                 bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
82                 /* w2k3 refuses us if we use the full DNS workstation?
83                  why? perhaps because we don't fill in the dNSHostName
84                  attribute in the machine account? */
85                 bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
86 #else
87                 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
88                                       NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
89                 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
90                 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
91 #endif
92
93                 ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
94                                                gensec_security->settings->iconv_convenience, &bind_schannel,
95                                                (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
96                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
97                         status = ndr_map_error2ntstatus(ndr_err);
98                         DEBUG(3, ("Could not create schannel bind: %s\n",
99                                   nt_errstr(status)));
100                         return status;
101                 }
102
103                 state->state = SCHANNEL_STATE_UPDATE_1;
104
105                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
106         case GENSEC_SERVER:
107
108                 required_flags = NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
109                                  NL_FLAG_OEM_NETBIOS_DOMAIN_NAME;
110
111                 if (state->state != SCHANNEL_STATE_START) {
112                         /* no third leg on this protocol */
113                         return NT_STATUS_INVALID_PARAMETER;
114                 }
115
116                 /* parse the schannel startup blob */
117                 ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
118                         gensec_security->settings->iconv_convenience,
119                         &bind_schannel,
120                         (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
121                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
122                         status = ndr_map_error2ntstatus(ndr_err);
123                         DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
124                                   nt_errstr(status)));
125                         return status;
126                 }
127
128                 if (!(required_flags == (bind_schannel.Flags & required_flags))) {
129                         return NT_STATUS_INVALID_PARAMETER;
130                 }
131
132                 workstation = bind_schannel.oem_netbios_computer.a;
133                 domain = bind_schannel.oem_netbios_domain.a;
134
135                 if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) {
136                         DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
137                                   domain, lp_workgroup(gensec_security->settings->lp_ctx)));
138
139                         return NT_STATUS_LOGON_FAILURE;
140                 }
141
142                 schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx,
143                                                    gensec_security->settings->lp_ctx);
144                 if (!schannel_ldb) {
145                         return NT_STATUS_ACCESS_DENIED;
146                 }
147                 /* pull the session key for this client */
148                 status = schannel_fetch_session_key_ldb(schannel_ldb,
149                                                         out_mem_ctx, workstation, &creds);
150                 talloc_free(schannel_ldb);
151                 if (!NT_STATUS_IS_OK(status)) {
152                         DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
153                                   workstation, nt_errstr(status)));
154                         if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
155                                 return NT_STATUS_LOGON_FAILURE;
156                         }
157                         return status;
158                 }
159
160                 state->creds = talloc_reference(state, creds);
161
162                 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
163                 bind_schannel_ack.Flags = 0;
164                 bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
165                                                             * this does not have
166                                                             * any meaning here
167                                                             * - gd */
168
169                 ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
170                                                gensec_security->settings->iconv_convenience, &bind_schannel_ack,
171                                                (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
172                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
173                         status = ndr_map_error2ntstatus(ndr_err);
174                         DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
175                                   workstation, nt_errstr(status)));
176                         return status;
177                 }
178
179                 state->state = SCHANNEL_STATE_UPDATE_1;
180
181                 return NT_STATUS_OK;
182         }
183         return NT_STATUS_INVALID_PARAMETER;
184 }
185
186 /**
187  * Return the struct netlogon_creds_CredentialState.
188  *
189  * Make sure not to call this unless gensec is using schannel...
190  */
191
192 /* TODO: make this non-public */
193
194 _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
195                                         TALLOC_CTX *mem_ctx,
196                                         struct netlogon_creds_CredentialState **creds)
197 {
198         struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
199
200         *creds = talloc_reference(mem_ctx, state->creds);
201         if (!*creds) {
202                 return NT_STATUS_NO_MEMORY;
203         }
204         return NT_STATUS_OK;
205 }
206
207
208 /**
209  * Returns anonymous credentials for schannel, matching Win2k3.
210  *
211  */
212
213 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
214                                          struct auth_session_info **_session_info)
215 {
216         struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
217         return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info);
218 }
219
220 static NTSTATUS schannel_start(struct gensec_security *gensec_security)
221 {
222         struct schannel_state *state;
223
224         state = talloc(gensec_security, struct schannel_state);
225         if (!state) {
226                 return NT_STATUS_NO_MEMORY;
227         }
228
229         state->state = SCHANNEL_STATE_START;
230         state->seq_num = 0;
231         gensec_security->private_data = state;
232
233         return NT_STATUS_OK;
234 }
235
236 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
237 {
238         NTSTATUS status;
239         struct schannel_state *state;
240
241         status = schannel_start(gensec_security);
242         if (!NT_STATUS_IS_OK(status)) {
243                 return status;
244         }
245
246         state = (struct schannel_state *)gensec_security->private_data;
247         state->initiator = false;
248
249         return NT_STATUS_OK;
250 }
251
252 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
253 {
254         NTSTATUS status;
255         struct schannel_state *state;
256
257         status = schannel_start(gensec_security);
258         if (!NT_STATUS_IS_OK(status)) {
259                 return status;
260         }
261
262         state = (struct schannel_state *)gensec_security->private_data;
263         state->initiator = true;
264
265         return NT_STATUS_OK;
266 }
267
268
269 static bool schannel_have_feature(struct gensec_security *gensec_security,
270                                          uint32_t feature)
271 {
272         if (feature & (GENSEC_FEATURE_SIGN |
273                        GENSEC_FEATURE_SEAL)) {
274                 return true;
275         }
276         if (feature & GENSEC_FEATURE_DCE_STYLE) {
277                 return true;
278         }
279         if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
280                 return true;
281         }
282         return false;
283 }
284
285 /*
286   unseal a packet
287 */
288 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
289                                        TALLOC_CTX *mem_ctx,
290                                        uint8_t *data, size_t length,
291                                        const uint8_t *whole_pdu, size_t pdu_length,
292                                        const DATA_BLOB *sig)
293 {
294         struct schannel_state *state =
295                 talloc_get_type(gensec_security->private_data,
296                                 struct schannel_state);
297
298         return netsec_incoming_packet(state, mem_ctx, true,
299                                       data, length, sig);
300 }
301
302 /*
303   check the signature on a packet
304 */
305 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
306                                       TALLOC_CTX *mem_ctx,
307                                       const uint8_t *data, size_t length,
308                                       const uint8_t *whole_pdu, size_t pdu_length,
309                                       const DATA_BLOB *sig)
310 {
311         struct schannel_state *state =
312                 talloc_get_type(gensec_security->private_data,
313                                 struct schannel_state);
314
315         return netsec_incoming_packet(state, mem_ctx, false,
316                                       data, length, sig);
317 }
318 /*
319   seal a packet
320 */
321 static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
322                                      TALLOC_CTX *mem_ctx,
323                                      uint8_t *data, size_t length,
324                                      const uint8_t *whole_pdu, size_t pdu_length,
325                                      DATA_BLOB *sig)
326 {
327         struct schannel_state *state =
328                 talloc_get_type(gensec_security->private_data,
329                                 struct schannel_state);
330
331         return netsec_outgoing_packet(state, mem_ctx, true,
332                                       data, length, sig);
333 }
334
335 /*
336   sign a packet
337 */
338 static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
339                                      TALLOC_CTX *mem_ctx,
340                                      const uint8_t *data, size_t length,
341                                      const uint8_t *whole_pdu, size_t pdu_length,
342                                      DATA_BLOB *sig)
343 {
344         struct schannel_state *state =
345                 talloc_get_type(gensec_security->private_data,
346                                 struct schannel_state);
347
348         return netsec_outgoing_packet(state, mem_ctx, false,
349                                       data, length, sig);
350 }
351
352 static const struct gensec_security_ops gensec_schannel_security_ops = {
353         .name           = "schannel",
354         .auth_type      = DCERPC_AUTH_TYPE_SCHANNEL,
355         .client_start   = schannel_client_start,
356         .server_start   = schannel_server_start,
357         .update         = schannel_update,
358         .seal_packet    = schannel_seal_packet,
359         .sign_packet    = schannel_sign_packet,
360         .check_packet   = schannel_check_packet,
361         .unseal_packet  = schannel_unseal_packet,
362         .session_key    = schannel_session_key,
363         .session_info   = schannel_session_info,
364         .sig_size       = schannel_sig_size,
365         .have_feature   = schannel_have_feature,
366         .enabled        = true,
367         .priority       = GENSEC_SCHANNEL
368 };
369
370 _PUBLIC_ NTSTATUS gensec_schannel_init(void)
371 {
372         NTSTATUS ret;
373         ret = gensec_register(&gensec_schannel_security_ops);
374         if (!NT_STATUS_IS_OK(ret)) {
375                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
376                         gensec_schannel_security_ops.name));
377                 return ret;
378         }
379
380         return ret;
381 }